The Internet, like so many other high tech developments, grew from research originally performed by the United States Department of Defense. In the 1960s, the military had accumulated a large collection of incompatible computer networks. Because of their incompatible data structures and transmission protocols, many of these computers could not communicate with other computers across network boundaries.
In the 1960s, the Defense Department wanted to develop a communication system that would permit communication between these different computer networks. Recognizing that a single, centralized communication system would be vulnerable to attacks or sabotage, the Defense Department required that the communication system be decentralized with no critical services concentrated in vulnerable failure points. In order to achieve this goal, the Defense Department established a decentralized communication protocol for communication between their computer networks.
A few years later, the National Science Foundation (NSF) wanted to facilitate communication between incompatible network computers at various research institutions across the country. The NSF adopted the Defense Department's protocol for communication, and this combination of research computer networks would eventually evolve into the Internet.
Internet Protocols
The Defense Department's communication protocol governing data transmission between different networks was called the Internet Protocol (IP) standard. The IP standard has been widely adopted for the transmission of discrete information packets across network boundaries. In fact, the IP standard is the standard protocol governing communications between computers and networks on the Internet.
The IP standard identifies the types of services to be provided to users and specifies the mechanisms needed to support these services. The IP standard also specifies the upper and lower system interfaces, defines the services to be provided on these interfaces, and outlines the execution environment for services needed in the system.
A transmission protocol, called the Transmission Control Protocol (TCP), was developed to provide connection-oriented, end-to-end data transmission between packet-switched computer networks. The combination of TCP with IP (TCP/IP) forms a suite of protocols for information packet transmissions between computers on the Internet. The TCP/IP standard has also become a standard protocol for use in all packet switching networks that provide connectivity across network boundaries.
In a typical Internet-based communication scenario, data is transmitted from an originating communication device on a first network across a transmission medium to a destination communication device on a second network. After receipt at the second network, the packet is routed through the network to a destination communication device. Because standard protocols are used in Internet communications, the IP protocol on the destination communication device decodes the transmitted information into the original information transmitted by the originating device.
TCP/IP Addressing and Routing
A computer operating on a network is assigned a unique physical address under the TCP/IP protocols. This is called an IP address. The IP address can include: (1) a network ID and number identifying a network, (2) a sub-network ID number identifying a substructure on the network, and (3) a host ID number identifying a particular computer on the sub-network. A header data field in the information packet will include source and destination addresses. The IP addressing scheme imposes a consistent addressing scheme that reflects the internal organization of the network or sub-network.
A router is used to regulate the transmission of information packets into and out of the computer network. Routers interpret the logical address contained in information packet headers and direct the information packets to the intended destination. Information packets addressed between computers on the same network do not pass through the router to the greater network, and as such, these information packets will not clutter the transmission lines of the greater network. If data is addressed to a computer outside the network, the router forwards the data onto the greater network.
TCP/IP network protocols define how routers determine the trans-mission path through a network and across network boundaries. Routing decisions are based upon information in the IP header and corresponding entries in a routing table maintained on the router. A routing table contains the information for a router to determine whether to accept an information packet on behalf of a device or pass the information packet onto another router.
Routing tables can be configured manually with routing table entries or with a dynamic routing protocol. A manual routing table can be configured upon initialization. In a dynamic routing protocol, routers update routing information with periodic information packet transmissions to other routers on the network. The dynamic routing protocol accommodates changing network topologies, network architecture, network structure, layout of routers, and interconnection between hosts and routers.
The IP-Based Mobility System
The Internet protocols were originally developed with an assumption that Internet users would be connected to a single, fixed network. With the advent of cellular wireless communication systems, such as mobile communication devices, the movement of Internet users within a network and across network boundaries has become common. Because of this highly mobile Internet usage, the implicit design assumption of the Internet protocols (e.g. a fixed user location) is violated by the mobility of the user.
In an IP-based mobile communication system, the mobile communication device (e.g. cellular phone, pager, computer, etc.) can be called a Mobile Node. Typically, a Mobile Node maintains connectivity to its home network through a foreign network. The Mobile Node will always be associated with its home network for IP addressing purposes and will have information routed to it by routers located on the home and foreign networks. The routers can be referred to by a number of names including Home Agent, Home Mobility Manager, Home Location Register, Foreign Agent, Serving Mobility Manager, Visited Location Register, and Visiting Serving Entity.
While coupled to a foreign network, the Mobile Node will be assigned a care-of address. This is a temporary IP address assigned by the Foreign Agent on the foreign network. The care-of address corresponds to the communication link of the Mobile Node to the foreign network and is used by routers on the foreign network to route information packets addressed to the Mobile Node. While residing on a foreign network, a Mobile Node may move from one location to another, changing its connectivity to the network. This movement changes the physical location of the Mobile Node and requires updating routing tables and/or care-of addressing to keep up with the movement of the Mobile Node.
The Mobile Node keeps the Home Agent informed of its current location by registering the care-of address with the Home Agent. Essentially, the care-of address represents the current foreign network address where the Mobile Node is located. If the Home Agent receives an information packet addressed to the Mobile Node while the Mobile Node is located on a foreign network, the Home Agent will “tunnel” the information packet to the Mobile Node's current location on the foreign network via the applicable care-of address assigned by the Foreign Agent to route the information packet to the connected Mobile Node.
In some system architectures and protocols, Foreign Agents also participate in transmission of information packets to a resident Mobile Node. The Foreign Agents receive information packets forwarded from the Home Agent to de-tunnel and forward to the Mobile Node. Further, the Foreign Agent serves as a default router for out-going information packets generated by the mobile node while connected to the foreign network. Foreign Agents and Home Agents can route information packets using successive transmission hops to route information packets from router-to-router to and from a Mobile Node. The registered care-of address identifies the location on a foreign network of the Mobile Node, and the Home Agent and Foreign Agent use this care-of address for routing information packets to and from the foreign network.
Registration of a Mobile Node
Foreign Agents and Home Agents periodically broadcast an agent advertisement to all nodes on the local network associated with that agent. An agent advertisement is a message from the agent on a network that may be issued under the Mobile IP protocol (RFC 2002) or any other type of communications protocol. This advertisement should include information that is required to uniquely identify a mobility agent (e.g. a Home Agent, a Foreign Agent, etc.) to a mobile node. Mobile Nodes examine the agent advertisement and determine whether they are connected to the home network or a foreign network.
If the Mobile Node is located on its home network, no additional actions need to be taken because information packets will be routed to the Mobile Node according to the standard addressing and routing scheme. If the Mobile Node is visiting a foreign network, however, the Mobile Node obtains appropriate information from the agent advertisement, and transmits a registration request message to its Home Agent. This registration request is routed through the Foreign Agent and includes a care-of address for the Mobile Node.
Typically, the Home Agent transmits a registration reply message back to the Mobile Node to confirm that the registration process has been successfully completed. This registration reply message is transmitted using the care-of address and routing through the Foreign Agent to the Mobile Node. Upon initial connection, a registration lifetime on the connection is initiated. At the expiration of this lifetime, the communication session terminates freeing the communication network resources. Periodically during this lifetime, the registration request and responding reply messages are generated in turn to reinitiate the lifetime and confirm the continuing connection and requirement for the foreign and home network resources to support the communication. The registration reply and registration requests occur periodically to ensure resources are not perpetually committed to non-existent communications.
Authenticate, Authorize and Accounting (“AAA”)
In an IP-based mobile communications system, the Mobile Node changes its point of attachment to the network while maintaining network connectivity. The Mobile IP Protocol (RFC 2002) assumes that mobile IP communications with a Mobile Node will be performed on a single administrative domain or a single network controlled by one administrator.
When a Mobile Node travels outside its home administrative domain, however, the Mobile Node must communicate through multiple domains in order to maintain network connectivity with its home network. While connected to a foreign network controlled by another administrative domain, network servers must authenticate, authorize and collect accounting information for services rendered to the Mobile Node. This authentication, authorization, and accounting activity is called “AAA”, and AAA servers on the home and foreign network perform the AAA activities for each network.
Authentication is the process of proving someone's claimed identity, and security systems on a mobile IP network will often require authentication of the system user's identity before authorizing a requested activity. The AAA server authenticates the identity of an authorized user, and authorizes the Mobile Node's requested activity. Additionally, the AAA server will also provide the accounting function including tracking usage and charges for use of transmissions links between administrative domains.
The registration request and registration reply messages are used in the AAA process. These messages contain data fields containing AAA information for processing by the AAA servers and the Home Agent and Foreign Agent for some protocols. Two data attributes carried within the registration request and reply messages are a message identifier and a Foreign Agent “challenge.”
The challenge is a random number code generated by the Foreign Agent and used by the Foreign Agent to confirm the legitimacy of received messages, such as registration request messages, locally at the Foreign Agent during a communication session. Upon receipt of the Foreign Agent challenge code, the Mobile Node stores the code for subsequent use in the next registration request message. A re-registration request message containing a prior, expired challenge code, commonly referred to as “stale”, received by the Foreign Agent from the Mobile Node will not be authenticated and the Foreign Agent will not re-register the Mobile Node. Eventually, the connection terminates when the lifetime expires without re-registration. This security protocol operating on the Foreign Agent prevents replay transmissions by a hacker attempting to hijack communication network resources for unauthorized access to and use of the communication network using stale challenge codes in intercepted and re-transmitted communications. This replay protection ensures that such invalid messages are not accepted by the foreign network and are detected as invalid.
The message identifier is used to identify a message sent on the network. Each message generated on the network by a component node carries a unique identifier code. Typically, this message identifier code is a timestamp representing the time that the message is generated. A registration request message containing a previously used message identifier, or stale timestamp, will not be authenticated at the Home Agent and the Home Agent will not respond with a registration reply message to the Mobile Node. Eventually, the system terminates the connection when the lifetime expires without re-registration. This security protocol prevents replay transmissions by a hacker attempting to hijack communication network resources for unauthorized access to and use of the communication network by using intercepted and retransmitted communication. This replay protection ensures that such invalid messages are not accepted by the home network and are detected as invalid.
A problem arises on communication networks when there is congestion and registration or reply messages are lost or delayed. If a Mobile Node does not receive a registration reply message in response to its registration request message for re-registration, the Mobile Node may retransmit a registration request message with the same challenge code (e.g. an expired or stale challenge) but a different identifier code. If the successful registration reply message relayed by the Foreign Agent is lost or arrives late at the Mobile Node after the Mobile Node retransmitted a registration request message, the Foreign Agent receives the Mobile Node retransmitted registration request message containing a stale challenge. If either of these events occurs, the Foreign Agent rejects the registration request message. If congestion continues, the Mobile Node may retransmit the registration request message before receiving the registration reply message with the stale challenge code. If this occurs during Mobile Node re-registration, an infinite loop may develop until the Mobile Node registration lifetime expires, terminating the connection.